Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] bsdmainutils Local Root Compromise

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] bsdmainutils Local Root Compromise
Date: 1 Sep 2004 14:05:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  bsdmainutils Local Root Compromise
------------------------------------------------------------------------


SUMMARY

 <http://packages.debian.org/unstable/utils/bsdmainutils> bsdmainutils is 
"a collection of small programs many people expect to find when they use a 
BSD-style UNIX system. Included are: banner, ncal, cal, calendar, col, 
colcrt, colrm, column, from, hexdump, look, lorder, ul and write".

A vulnerability in its calendar program allows local users to gain root 
privileges by causing the program to include sensitive files in its event 
notification emails.

DETAILS

Vulnerable Systems:
 * bsdmainutils version 6.0.14 and prior

Immune Systems:
 * bsdmainutils version 6.0.1 or newer

How calendar works
The calendar program uses event files with this format:

<date><tab><event description>

This is not all however. Calendar gives users the ability to include other 
event-files and define variables and macros. To do this, it calls cpp (the 
C preprocessor) on the main event file and processes the output.

When called with the "-a" option, calendar will processes the event files 
of all users and send the result by mail.

The bsdmainutils package in Debian uses this feature from: 
/etc/cron.daily/bsdmainutils. Luckily, it is not enabled by default since 
you have to comment an "exit 0" line in the cron script to activate it.

The problem:
Calendar does not drop its privileges. In order to be useful when running 
with the "-a" option, it needs to run as root. By creating an event file 
as follows, we can get the hashed root password (on June 28th):

#define root Jun. 28<tab>cut_here
#include </etc/shadow>
Jun. 28<tab>Birthday of Steven Van Acker
Aug. 19<tab>Birthday of Andrew Griffith

(<tab> indicates an actual tab, so char '\t')

Since calendar is running as root, there will be no problem accessing the 
shadow password file. The result contains the hashed password of root, 
which can then be cracked.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0793> 
CAN-2004-0793


ADDITIONAL INFORMATION

The information has been provided by  <mailto:deepstar@ulyssis.org> Steven 
Van Acker.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] bsdmainutils Local Root Compromise, SecuriTeam <=
Previous by Date:  [EXPL] D-Link DCS-900 Internet Camera Abitrary IP Changing Vulnerability, SecuriTeam
Next by Date:  [NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP, SecuriTeam
Previous by Thread:  [EXPL] D-Link DCS-900 Internet Camera Abitrary IP Changing Vulnerability, SecuriTeam
Next by Thread:  [NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]